Close to All Facebook Outbound Notification Emails Encrypted

All that’s missing from the organic encrypt the web movement seems to be a hashtag. Otherwise, no one can accuse major web providers of slacking as leading players such as Microsoft and Yahoo, prompted by the Snowden leaks, have made noteworthy leaps in the last 15 months to encrypt everything from keywords to data center links to email services.

Facebook today published numbers that show just how pervasive encryption is becoming on the web. After a plea in May for others to start supporting STARTTLS, the social network said today that 95 percent of the transport of its outbound notification emails were successfully encrypted with both Perfect Forward Secrecy and certification validation in place.

“Since STARTTLS encryption requires both sides to deploy it, we encouraged others to take the next step,” said Michael Adkins, a mail integrity engineer at Facebook.

Facebook reported three months ago that only 28.6 percent of its outbound notifications were encrypted and passed certification validation. The skyrocketing numbers, Adkins said, are due in large part to actions on behalf of providers such as Yahoo and Microsoft.

Since July 1, both have announced either enhancements to existing encryption efforts, or initiatives to continue building on what’s already in place. Microsoft, for example, announced that Outlook.com supported TLS encryption on inbound and outbound messages, as well as Perfect Forward Secrecy. Microsoft also enabled Perfect Forward Secrecy on its OneDrive cloud-based storage platform.

Perfect Forward Secrecy, along with HSTS and TLS, is starting to be considered a minimum standard for new applications. Google, Yahoo, Microsoft and others moved quickly during the last 15 months of Snowden revelations to fight perceptions and intimations they were somehow complicit with government surveillance efforts. The surge in encryption deployments removes even a notion of tacit complicity.

“Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections,” said Microsoft vice president, Trustworthy Computing, Matt Thomlinson in July. “As with Outlook.com’s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive.”

Facebook said strict encryption has jumped to 95 percent of its notification email messages to users, while opportunistic encryption has plummeted to close to zero. In May, Facebook reported that strict validation, or completely successful TLS negotiations, happened in 30 percent of cases, while in another 28 percent, opportunistic encryption happened where a TLS cipher suite was negotiated, but the certificate did not pass strict validation.

Adkins said that Facebook isn’t satisfied with 95 percent.

“In addition to thanking these service providers for implementing best practices and allowing stronger encryption to take hold, we’d like to encourage any remaining providers to deploy STARTTLS as soon as possible,” Adkins said.

This story was updated Aug. 21 to clarify that outbound notification emails are encrypted.

Comments (3)

This is misleading. Only the transport of the emails from facebook to the mail server is encrypted. The mails itself are not encrypted and can be read by the mail provider or anybody who has access to those system. This is no end-to-end security like HTTP but hop-by-hop security. Real mail encryption with end-to-end security would be PGP or S/MIME.

While I agree with you about only the transport being encrypted, and that the article is misleading, it is still important. Since we know that part of a certain agency’s goals were to read as much traffic in-transit as possible, this helps protect against that. So long as the email providers, themselves, are not rolling over and allowing said agency to tap directly into their databases or internal network. If your concern is government snooping, then, so long as every trunk between your email provider and your recipiants email provider is encrypted, then this makes email a pretty safe bet.

It does nothing, however, if the government (or criminal element) means to target YOU. They will (via malware usually) get to your computing device, and then no amount of encryption is going to help you. Progress in one area is no reason to rest, but don’t let the perfect be the enemy of the good.

I concur with the Steffen Ullrich and i’m surprised that Threat Post would present this as it did with out explaining it. Kaspersky has some very talented professionals, perhaps the site should rely on them before misrepresenting security issues.

Comments are closed.

Recommended Reads

Dennis Fisher and Mike Mimoso discuss the news of the week, including the Android app-replacement vulnerability, the Windows privilege escalation bug and the Yahoo transparency report and the company’s crypto efforts.

The Final Say

There are a great many beautiful and unusual towns and cities in the world, there are volcanoes, there are valleys and canyons, and islands and lakes. There are also of course rivers: loads of them ...

One of the big trends in sphere of health and fitness are fitness trackers such as smartbands. Tracking devices and their mobile applications from three leading vendors were inspected in this report t...

Android smartphones and tablets are very popular among students for several reasons. First, they are relatively affordable. Second, they are flexible, so users can choose the most suitable set-up for ...